Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28/03/2023, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe
Resource
win10-20230220-en
General
-
Target
822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe
-
Size
683KB
-
MD5
f5ac9245e5c5816ef71ec76a98492b99
-
SHA1
2ffefd23cf8c0f6b017c64f91fc6ec9a1a3f99a0
-
SHA256
822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84
-
SHA512
6d942c0fb437e0c45f638804c13da7b22d5b843f45211c22f2619acd64dd84ebba6462707bff39d9e2a5511d7b2497cacc12d95aba02a855eed08d6849024f30
-
SSDEEP
12288:tMrUy90G4FErcxsujr7LW/TGmRs4LlYCNPJjmsUupmZs3SqNZjE:FyEFLxsujnoTGd4RYC75TmZsCuq
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
from
176.113.115.145:4125
-
auth_value
8633e283485822a4a48f0a41d5397566
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro9131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro9131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro9131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro9131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro9131.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/4800-176-0x0000000004C30000-0x0000000004C76000-memory.dmp family_redline behavioral1/memory/4800-177-0x0000000007120000-0x0000000007164000-memory.dmp family_redline behavioral1/memory/4800-179-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-178-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-181-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-183-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-185-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-187-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-189-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-191-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-193-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-195-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-197-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-199-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-201-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-203-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-205-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-207-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-209-0x0000000007120000-0x000000000715F000-memory.dmp family_redline behavioral1/memory/4800-211-0x0000000007120000-0x000000000715F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3984 un464822.exe 4920 pro9131.exe 4800 qu0158.exe 3076 si679734.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro9131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro9131.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un464822.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un464822.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4920 pro9131.exe 4920 pro9131.exe 4800 qu0158.exe 4800 qu0158.exe 3076 si679734.exe 3076 si679734.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4920 pro9131.exe Token: SeDebugPrivilege 4800 qu0158.exe Token: SeDebugPrivilege 3076 si679734.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3992 wrote to memory of 3984 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 66 PID 3992 wrote to memory of 3984 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 66 PID 3992 wrote to memory of 3984 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 66 PID 3984 wrote to memory of 4920 3984 un464822.exe 67 PID 3984 wrote to memory of 4920 3984 un464822.exe 67 PID 3984 wrote to memory of 4920 3984 un464822.exe 67 PID 3984 wrote to memory of 4800 3984 un464822.exe 68 PID 3984 wrote to memory of 4800 3984 un464822.exe 68 PID 3984 wrote to memory of 4800 3984 un464822.exe 68 PID 3992 wrote to memory of 3076 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 70 PID 3992 wrote to memory of 3076 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 70 PID 3992 wrote to memory of 3076 3992 822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe"C:\Users\Admin\AppData\Local\Temp\822bd10acf6de2543cc31717de001fda9ed665d1d515eadb4903a05319d08e84.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464822.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464822.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9131.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9131.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0158.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0158.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si679734.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si679734.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD559422a7c28a81ba7669d57e201738431
SHA1dff0d602bcf944abb3b7a7789d2822bc84f05836
SHA256ecb8ee200eeaa424e73fe6b887242368297b4b57705d0d418e5035f7736a4187
SHA512c9b5658e59667ba5b2de749ff27e6f1a9fd63a6b76b8b2b36fd2e2d6673f2b53657df63a832bbfe1885c84ed28ba6526c3961597c0cc82ee9fd30d6ed2e981cb
-
Filesize
175KB
MD559422a7c28a81ba7669d57e201738431
SHA1dff0d602bcf944abb3b7a7789d2822bc84f05836
SHA256ecb8ee200eeaa424e73fe6b887242368297b4b57705d0d418e5035f7736a4187
SHA512c9b5658e59667ba5b2de749ff27e6f1a9fd63a6b76b8b2b36fd2e2d6673f2b53657df63a832bbfe1885c84ed28ba6526c3961597c0cc82ee9fd30d6ed2e981cb
-
Filesize
542KB
MD56b8d0c15e2d237656e17a158d84af1c3
SHA10a97825dd46c3d33a8fe1aa43b48b47310c02811
SHA256e08d890961833d4270640190808dd47b395b8de86c8c371023403fab64612623
SHA512d285f67c48c02720e02fd01b48c82b51ded1b2af04fde1d2599cccf27f672699247b3003e9e4a58dc9fc8ea5dabe43bc894b05f8fad4b39d4011343e65566852
-
Filesize
542KB
MD56b8d0c15e2d237656e17a158d84af1c3
SHA10a97825dd46c3d33a8fe1aa43b48b47310c02811
SHA256e08d890961833d4270640190808dd47b395b8de86c8c371023403fab64612623
SHA512d285f67c48c02720e02fd01b48c82b51ded1b2af04fde1d2599cccf27f672699247b3003e9e4a58dc9fc8ea5dabe43bc894b05f8fad4b39d4011343e65566852
-
Filesize
321KB
MD5ec4d99132e00e3bc2a83064830ca303d
SHA11a00681e83521aa63badea0ef9542e684ac83f2f
SHA2564463671222e08668b14c4cef816f595f5fc319b8c626d5257b77852734416a23
SHA512e9719d9fc4e6f0c2fbc3af043a18cb9f9ebf384cd5d8fad82aaf031ad7777ca806efa1d4407ff884fb4ee44aacafd91e993a2333daa41bcd188d7ca36931cbc9
-
Filesize
321KB
MD5ec4d99132e00e3bc2a83064830ca303d
SHA11a00681e83521aa63badea0ef9542e684ac83f2f
SHA2564463671222e08668b14c4cef816f595f5fc319b8c626d5257b77852734416a23
SHA512e9719d9fc4e6f0c2fbc3af043a18cb9f9ebf384cd5d8fad82aaf031ad7777ca806efa1d4407ff884fb4ee44aacafd91e993a2333daa41bcd188d7ca36931cbc9
-
Filesize
380KB
MD50b03765d3e2b3618036dde4fb2ec0b9e
SHA1fcbe019d15abed6fb66fb31ab5a19b57910c1e5c
SHA256b546e7c1056160d0b673251d87953cb4997139a813b385d90e477706c3b83fcf
SHA512e94aba5487be1b74e6631455a4455bf6da92172659a2a1853c108d251085a8296865b907f8243aae336a2cb60f1f49845afa4c660b5627609033b6c6ce8fbbe6
-
Filesize
380KB
MD50b03765d3e2b3618036dde4fb2ec0b9e
SHA1fcbe019d15abed6fb66fb31ab5a19b57910c1e5c
SHA256b546e7c1056160d0b673251d87953cb4997139a813b385d90e477706c3b83fcf
SHA512e94aba5487be1b74e6631455a4455bf6da92172659a2a1853c108d251085a8296865b907f8243aae336a2cb60f1f49845afa4c660b5627609033b6c6ce8fbbe6